Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge r246868 - ReplacementFragment should not have script observable…
… side effects https://bugs.webkit.org/show_bug.cgi?id=199147 Reviewed by Wenson Hsieh. Source/WebCore: Fixed the bug that ReplacementFragment has script observable side effects. Use a brand new document for sanitization where the script is disabled for test rendering, and remove style and script elements as well as event handlers before the test rendering and the actual pasting. Test: editing/pasteboard/paste-contents-with-side-effects.html * editing/ReplaceSelectionCommand.cpp: (WebCore::ReplacementFragment::document): Deleted. (WebCore::ReplacementFragment::ReplacementFragment): Use createPageForSanitizingWebContent to create our own document for test rendering. We need to copy over the computed style from the root editable element (editing host) to respect whitespace treatment, etc... (WebCore::ReplacementFragment::removeContentsWithSideEffects): Moved from removeHeadContents. Now removes event handlers and JavaScript URLs. (WebCore::ReplacementFragment::insertFragmentForTestRendering): Renamed variable names. (WebCore::ReplaceSelectionCommand::willApplyCommand): Create the plain text and HTML markup for beforeinput and input events before ReplacementFragment removes contents with side effects. (WebCore::ReplaceSelectionCommand::ensureReplacementFragment): The removal of head elements is now done in ReplacementFragment's constructor. LayoutTests: Added regression tests. * editing/pasteboard/paste-contents-with-side-effects-expected.txt: Added. * editing/pasteboard/paste-contents-with-side-effects.html: Added.
- Loading branch information
1 parent
f2119a0
commit 14d995d
Showing
5 changed files
with
188 additions
and
46 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
22 changes: 22 additions & 0 deletions
22
LayoutTests/editing/pasteboard/paste-contents-with-side-effects-expected.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
This tests inserting content with an event handler. WebKit should never execute event handlers. | ||
|
||
On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE". | ||
|
||
|
||
|
||
Inserting with load event handler | ||
PASS event.dataTransfer.getData('text/html').includes('onload="') is true | ||
PASS event.dataTransfer.getData('text/html').includes('onmouseover="') is true | ||
PASS didExecute is false | ||
|
||
Inserting with script element | ||
PASS event.dataTransfer.getData('text/html').includes('script') is true | ||
PASS didExecute is false | ||
|
||
Inserting iframe with a name into plaintext-only | ||
PASS event.dataTransfer.getData("text/html").includes("iframe name=") is true | ||
PASS didExecute is false | ||
PASS successfullyParsed is true | ||
|
||
TEST COMPLETE | ||
|
67 changes: 67 additions & 0 deletions
67
LayoutTests/editing/pasteboard/paste-contents-with-side-effects.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,67 @@ | ||
<!DOCTYPE html> | ||
<html> | ||
<body> | ||
<script src="../../resources/js-test.js"></script> | ||
<div id="editor" contenteditable></div> | ||
<script> | ||
|
||
description('This tests inserting content with an event handler. WebKit should never execute event handlers.'); | ||
|
||
editor.focus(); | ||
|
||
function insertHTML(markup) { | ||
editor.textContent = ''; | ||
editor.focus(); | ||
document.execCommand('insertHTML', false, markup); | ||
} | ||
|
||
let didExecute = false; | ||
debug(''); | ||
debug('Inserting with load event handler'); | ||
editor.addEventListener('beforeinput', () => { | ||
shouldBeTrue(`event.dataTransfer.getData('text/html').includes('onload="')`); | ||
shouldBeTrue(`event.dataTransfer.getData('text/html').includes('onmouseover="')`); | ||
}, {once: true}); | ||
insertHTML('<iframe onload="didExecute = true" onmouseover="alert(\'FAIL\')"></iframe>'); | ||
shouldBeFalse('didExecute'); | ||
|
||
didExecute = false; | ||
debug(''); | ||
debug('Inserting with script element'); | ||
editor.addEventListener('beforeinput', () => { | ||
shouldBeTrue(`event.dataTransfer.getData('text/html').includes('script')`); | ||
}, {once: true}); | ||
insertHTML(`<iframe src="data:text/html,<!DOCTYPE html><b>hi</b><script>alert("FAIL")</scr` + 'ipt>"></iframe>'); | ||
shouldBeFalse('didExecute'); | ||
|
||
didExecute = false; | ||
debug(''); | ||
debug('Inserting iframe with a name into plaintext-only'); | ||
editor.setAttribute('contenteditable', 'plaintext-only'); | ||
|
||
let i = 0; | ||
function insertObjectElement() { | ||
const object = document.createElement('object'); | ||
object.data = 'about:blank'; | ||
object.onload = () => { | ||
try { | ||
if (window.open('about:blank', 'named-frame').frameElement.parentNode) | ||
didExecute = true; | ||
} catch (e) { } | ||
if (!didExecute) | ||
insertObjectElement(); | ||
} | ||
document.body.appendChild(object); | ||
} | ||
insertObjectElement(); | ||
editor.focus(); | ||
editor.addEventListener('beforeinput', () => { | ||
shouldBeTrue(`event.dataTransfer.getData("text/html").includes("iframe name=")`); | ||
}, {once: true}); | ||
insertHTML(`<iframe name='named-frame'></iframe>`); | ||
shouldBeFalse('didExecute'); | ||
didExecute = true; | ||
|
||
</script> | ||
</body> | ||
</html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters